capabilities not preserved on installation

Bug #1302192 reported by Matteo Croce
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
attr (Ubuntu)
Fix Released
Critical
Colin Watson
Trusty
Fix Released
Critical
Colin Watson
iputils (Ubuntu)
Confirmed
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned
live-installer (Ubuntu)
Fix Released
Critical
Unassigned
Trusty
Fix Released
Critical
Unassigned
livecd-rootfs (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
ubiquity (Ubuntu)
Fix Released
Critical
Colin Watson
Trusty
Fix Released
Critical
Colin Watson

Bug Description

Ping is not longer setuid root and I have to ping as root:

[~]$ ping kubuntu.org
ping: icmp open socket: Operation not permitted
[~]$ sudo ping kubuntu.org
PING kubuntu.org (91.189.94.156) 56(84) bytes of data.
64 bytes from vostok.canonical.com (91.189.94.156): icmp_seq=1 ttl=51 time=52.2 ms
--- kubuntu.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 52.231/52.231/52.231/0.000 ms
[~]$

Related bugs:
 bug 1313550: ping does not work as a normal user on trusty tarball cloud images.

Related branches

Revision history for this message
Ryan Beisner (1chb1n) wrote :

Ubuntu Server Trusty daily build 2014-APR-07 exhibits this symptom.

Can't ping as a user, only as super user.

$ ping google.com
$ ping: icmp open socket: Operation not permitted

$ sudo ping google.com
executes and pings as originally expected

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iputils (Ubuntu):
status: New → Confirmed
Ryan Beisner (1chb1n)
tags: added: trusty
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1302192

tags: added: iso-testing
Revision history for this message
Ryan Beisner (1chb1n) wrote :

##### WORKAROUND #####
rbeisner@132-5:/bin$ ls -alh ping
-rwxr-xr-x 1 root root 44K Mar 15 01:24 ping

rbeisner@132-5:/bin$ sudo chmod u+s ping

rbeisner@132-5:/bin$ ls -alh ping
-rwsr-xr-x 1 root root 44K Mar 15 01:24 ping

##### SYSTEM INFO #####
Installed from amd64 server ISO 2014-APR-07.

rbeisner@132-5:~$ dpkg -l | grep iputils
ii iputils-ping 3:20121221-4ubuntu1 amd64 Tools to test the reachability of network hosts
ii iputils-tracepath 3:20121221-4ubuntu1 amd64 Tools to trace the network path to a remote host

rbeisner@132-5:~$ uname -a
Linux 132-5 3.13.0-23-generic #45-Ubuntu SMP Fri Apr 4 06:58:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

rbeisner@132-5:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Trusty Tahr (development branch)
Release: 14.04
Codename: trusty

Revision history for this message
Robie Basak (racb) wrote :

Cloud image unaffected: release=trusty arch=amd64 label=daily (20140407)

$ getcap /bin/ping
/bin/ping = cap_net_raw+p
$ stat /bin/ping
  File: ‘/bin/ping’
  Size: 44168 Blocks: 88 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 30 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-04-07 15:54:48.862673866 +0000
Modify: 2014-03-15 06:24:49.000000000 +0000
Change: 2014-04-07 00:38:10.037813920 +0000
 Birth: -

Revision history for this message
Ryan Beisner (1chb1n) wrote :

Confirmed issue exists on another installation from Trusty daily iso 20140407.

rbeisner@130-5:~$ getcap /bin/ping
rbeisner@130-5:~$ stat /bin/ping
  File: ‘/bin/ping’
  Size: 44168 Blocks: 88 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 262218 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-04-07 10:09:02.262988339 -0500
Modify: 2014-03-15 01:24:49.000000000 -0500
Change: 2014-04-07 09:20:34.510799000 -0500
 Birth: -

Revision history for this message
Ryan Beisner (1chb1n) wrote :

Add'l (probably more current & correct) workaround:
$ sudo setcap cap_net_raw+p /bin/ping

Also, confirming this exists in the 2014-APR-08 Trusty server daily ISO.

Revision history for this message
Colin Watson (cjwatson) wrote :

Looks like ubiquity needs to preserve capabilities. I'll check live-installer too.

summary: - ping is not setuid root
+ capabilities not preserved on installation
affects: iputils (Ubuntu Trusty) → ubiquity (Ubuntu Trusty)
Colin Watson (cjwatson)
Changed in ubiquity (Ubuntu Trusty):
importance: Undecided → Critical
assignee: nobody → Colin Watson (cjwatson)
status: Confirmed → Triaged
Revision history for this message
Colin Watson (cjwatson) wrote :

OK. ubiquity looks reasonably straightforward thanks to new facilities in Python 3.3.

live-installer is affected, and is trickier. It's just using tar to shovel files around. Unfortunately busybox tar has no xattr support, and I'd expect adding it to be not entirely trivial. I'll have to think about how to solve this.

Changed in ubiquity (Ubuntu Trusty):
status: Triaged → In Progress
Changed in live-installer (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Critical
Colin Watson (cjwatson)
Changed in ubiquity (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :
Colin Watson (cjwatson)
Changed in attr (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package attr - 1:2.4.47-1ubuntu1

---------------
attr (1:2.4.47-1ubuntu1) trusty; urgency=medium

  * Add attr-udeb and libattr1-udeb binary packages, for use by
    live-installer to copy extended attributes (LP: #1302192).
 -- Colin Watson <email address hidden> Wed, 09 Apr 2014 15:06:11 +0100

Changed in attr (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package live-installer - 44ubuntu2

---------------
live-installer (44ubuntu2) trusty; urgency=medium

  * Copy extended attributes to target system (LP: #1302192).
 -- Colin Watson <email address hidden> Wed, 09 Apr 2014 21:45:23 +0100

Changed in live-installer (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity - 2.17.13

---------------
ubiquity (2.17.13) trusty; urgency=medium

  * Copy extended attributes to target system (LP: #1302192).
  * Automatic update of included source packages: grub-installer
    1.78ubuntu20, user-setup 1.48ubuntu2.
  * Update translations from Launchpad.
  * Remove lots of cruft relating to removed Ubuntu One, webcam, and
    migration-assistant steps.
 -- Colin Watson <email address hidden> Wed, 09 Apr 2014 22:36:22 +0100

Changed in ubiquity (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Ryan Beisner (1chb1n) wrote :

Confirmed fix on Trusty server iso 2014-apr-10.

Thank you all!

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iputils (Ubuntu Trusty):
status: New → Confirmed
Changed in iputils (Ubuntu):
status: New → Confirmed
Scott Moser (smoser)
description: updated
Steve Langasek (vorlon)
no longer affects: livecd-rootfs (Ubuntu Trusty)
tags: added: id-5b627c65197f7e26d03c7439
tags: added: id-5b61e0dfee899a8671484afe
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.534

---------------
livecd-rootfs (2.534) cosmic; urgency=medium

  [ Michael Hudson-Doyle ]
  * Disable journald rate limiting in the live-server live session.
    (LP: #1776891)

  [ Steve Langasek ]
  * generate all tar files with --xattrs. LP: #1302192.

 -- Steve Langasek <email address hidden> Mon, 06 Aug 2018 13:12:02 -0700

Changed in livecd-rootfs (Ubuntu):
status: New → Fix Released
Revision history for this message
Matteo Croce (teknoraver) wrote : Re: [Bug 1302192] Re: capabilities not preserved on installation

Well, you could even enable ping capabilities by unpriviledged users
with the ICMP socket type:

# sysctl -w net.ipv4.ping_group_range='0 65536'
$ strace -esocket ping 127.0.0.1
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3

Regards,
On Mon, Aug 6, 2018 at 10:30 PM Launchpad Bug Tracker
<email address hidden> wrote:
>
> This bug was fixed in the package livecd-rootfs - 2.534
>
> ---------------
> livecd-rootfs (2.534) cosmic; urgency=medium
>
> [ Michael Hudson-Doyle ]
> * Disable journald rate limiting in the live-server live session.
> (LP: #1776891)
>
> [ Steve Langasek ]
> * generate all tar files with --xattrs. LP: #1302192.
>
> -- Steve Langasek <email address hidden> Mon, 06 Aug 2018
> 13:12:02 -0700
>
> ** Changed in: livecd-rootfs (Ubuntu)
> Status: New => Fix Released
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1302192
>
> Title:
> capabilities not preserved on installation
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/attr/+bug/1302192/+subscriptions

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Matteo, or anyone else affected,

Accepted livecd-rootfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.525.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in livecd-rootfs (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Steve Langasek (vorlon) wrote :

This is in use in cosmic and the autopkgtests pass in bionic. I don't think any further SRU verification is necessary here.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.525.6

---------------
livecd-rootfs (2.525.6) bionic; urgency=medium

  [ Steve Langasek ]
  * generate all tar files with --xattrs. LP: #1302192.

  [ Daniel Watkins ]
  * ubuntu-cpc: Reintroduce the -root.tar.xz artifact (LP: #1585233).
  * ubuntu-cpc: Generate the root image contents once, and use it for both the
    -root.tar.xz and the .squashfs.
  * ubuntu-cpc: Generate -root.tar.xz with --xattrs.

 -- Steve Langasek <email address hidden> Mon, 06 Aug 2018 14:16:04 -0700

Changed in livecd-rootfs (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for livecd-rootfs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I thought as part of this work we agreed to always unpack tar with xattrs, but i'm not sure how to check if this was done or in place. will investigate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.